3310
YSK: Your Lemmy activities (e.g. downvotes) are far from private (i.imgur.com)
submitted 1 year ago* (last edited 1 year ago) by muddybulldog@mylemmy.win to c/youshouldknow@lemmy.world
1193 comments fedilink hide all child comments

Edit: obligatory explanation (thanks mods for squaring me away)...

What you see via the UI isn't "all that exists". Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see "under the hood". Any instance admin, proper or rogue, gets a ton of information that users won't normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.

Edit: To clarify, not just YOUR instance admin gets this info. This is ANY instance admin across the Fediverse.

(page 2) 50 comments
sorted by: hot top controversial new old
[-] SilentMobius@lemmy.world 45 points 1 year ago

I would hope this would be obvious to anyone. If your client can highlight which posts you have upvoted in the web and app UI then the fact that your user specifically upvoted that post must be recoverable from the instance server and thus must be recoverable by the instance admins. I would not expect anything different.

load more comments (6 replies)
[-] Landrin201@lemmy.ml 42 points 1 year ago

Reddit always had this too though. In every app I used there was an "up voted" and "down voted" tab when I would look at someone's profile

Maybe it was an api thing?

[-] HadManySons@lemmy.ml 26 points 1 year ago

It was. You could disable the ability for people to see what you voted on.

load more comments (2 replies)
[-] Dav@kbin.social 42 points 1 year ago

So everyone knows I upvote my own posts? This is an outrage.

load more comments (5 replies)
[-] JesusTheCarpenter@feddit.uk 41 points 1 year ago

Now we know who are the people stalling the liftoff of the bean's meme to the stratosphere.

load more comments (1 replies)
[-] MrFlamey@lemmy.world 39 points 1 year ago

People have burner Reddit and Twitter accounts for posts or votes they think could bite them in the ass, so why wouldn't they do the same on Lemmy?

load more comments (5 replies)
[-] Send_me_nude_girls@feddit.de 39 points 1 year ago* (last edited 1 year ago)

I'm already questioning the whole system behind it, not just votes.

Say you have critical information that you want to delete but other instances can just ignore this deletion request, than I could technically write a plugin that uses an extra instance, to always display all deleted comments to me, despite me being a regular user.

For other sites you'd need a crawler, catching this information and all this in a rapid fashion to be usable, with a lot of programming extra work.

At this point we can as well remove the option to delete or edit a comment as everyone can host their own, which wouldn't be possible with proprietary tools.

If someone can simply see votes the same way, we can as well add a mouse hover function that will display the username of whoever upvoted.

[-] chris@l.roofo.cc 32 points 1 year ago

Displaying the internal information publicly is indeed the more honest approach. Still, people need to understand that Social Media is Public Media. Deleting and editing depends on the goodwill of the receiver. Just imagine you were sending an email when you send something here. It is about the same level of control. It is not like you had much more control on Facebook or Reddit.

load more comments (3 replies)
load more comments (13 replies)
[-] v81@lemmy.world 35 points 1 year ago

There is a fundamental misunderstanding here.

Our data has never been 'invisible'... We've just trusted that places like Reddit and their staff will do the right thing. That's literally how it already works.

If you sign up for Reddit, Reddit staff can see your posts and votes if they want to.

If you sign up for a private forum the admin there can also see database contents.

One way encryption is not possible without stopping functionality... If data about you was encrypted then posts you make couldn't be displayed. If you include a means to decrypt then there was no point encrypting anyway.

This is how it's always been, and Lemmy doesn't change this status quo much.

A faceless corporation that has had access to your data is just replaced by a variety of admins distributed across instances.

This isn't a good or bad thing, the potential for abuse does exist, but when we have literally made agreements with places like Reddit that they can use and sell our data... then what difference does it make it an admin takes a peek?

It wouldn't be great... but nothing is perfect.

It's still worth working on however, to see if a better solution can be found, but at this time I'd say just be aware that it is possible that your data can be seen and understand the only safeguard against that if you need to communicate something private would be to use direct messaging with end to end encryption.

load more comments (4 replies)
[-] ICastFist@programming.dev 34 points 1 year ago

Sounds like a "non-issue" to me, really. That's kind of the point with the fediverse. If I run an instance, I have access to its database and, thus, everything stored in it. That was the case with old PHPBB forums, admins could see everything.

The questions is what ends up stored from outside my own instance. I haven't looked at the source, but I would hazard a guess that it's mostly some json blobs and/or pointers to users/instances.

load more comments (5 replies)
[-] Ozymati@lemmy.nz 33 points 1 year ago

I'm safe, I upboated the beans

[-] kuneho@lemmy.world 33 points 1 year ago

I'm fine with it.

I mean... you can get information accessing the database. Can anyone access the instance DBs? No. How would you know reddit doesn't log these in its database somewhere?

On it's own, it's not a problem IMO. Why would you want to show all information stored on the frontend? But, if you have to investigate something, it's not that bad you have stuff in your database that can help it.

Granted, if an admin is a shitface, they can look at these information. And then...? Make fun of downvoting people? Go to other instance and that's it.

load more comments (13 replies)
[-] athlon@lemm.ee 32 points 1 year ago

For as much as I love Lemmy, its obvious that it is an early software. Mark my words, that’s not the last privacy threat it will experience.

load more comments (4 replies)
[-] OFTHEHILLPEOPLE@lemmy.world 32 points 1 year ago

Beyond upvote/downvote data is there anything else that is seen beyond whether someone had an arbitrary influence on a post?

load more comments (1 replies)
[-] hddsx@lemmy.world 32 points 1 year ago

Well time to write a bot that creates a new account for every vote and comment

[-] PixxlMan@lemmy.world 31 points 1 year ago

Admins can see literally everything. If you can see it (from your end, like whether you've upvoted something), it has to be stored somewhere and of course the server owners can see it

load more comments (5 replies)
[-] triplenadir@lemmygrad.ml 31 points 1 year ago

"unlike reddit" mm I'm sure they have RIGOROUS controls over which creepy staff / disgruntled plutocrats / repressive regimes get access to their voting database..

load more comments (2 replies)
[-] madsen@lemmy.world 31 points 1 year ago* (last edited 1 year ago)

Good find, albeit a bit horrifying.

I wonder what the GDPR implications of this is. As far as I understand, even free, privately run services are required to abide by GDPR and offer data insight and deletion. They're also required to state clearly what happens to user data.

Edit: Apparently people have varying takes and feelings on what the GDPR does and does not say, so I urge you to please read the summary of GDPR data privacy here: https://gdpr.eu/data-privacy/ as well as the summary of what constitutes personal data here: https://gdpr.eu/eu-gdpr-personal-data/ It's easier to have a good and fruitful discussion if we talk about what the GDPR actually says.

load more comments (17 replies)
[-] CamelCase@lemm.ee 31 points 1 year ago* (last edited 1 year ago)

It's not just upvotes and downvotes. Instance admin also knows your email and can store your password in plaintext if they want to. It's up to user to decide whether to trust the instance admin

[-] mikegioia@lemmy.ml 30 points 1 year ago* (last edited 1 year ago)

I think you need to clarify how they can see the password. It’s not stored in plaintext, but when the user logs in, the server administrator can see the password in the HTTP post data if they log it in the lemmy sourcecode. All apps are subject to this and it’s why to have to trust the instance owner.

load more comments (1 replies)
load more comments (23 replies)
[-] giantshortfacedbear@lemmy.ca 30 points 1 year ago

Is the poster's IP address, system, or other system identifier/location, tracked?

If I have users giantshortfacedbear and throwaway123. Then it could be inferred or impled that they are same person if there are from the same IP or phone.

[-] muddybulldog@mylemmy.win 32 points 1 year ago

That information is not tracked in the application itself. A "home instance" admin could correlate their web access logs with the database to draw this kind of conclusion but it's not federated info.

load more comments (1 replies)
load more comments (1 replies)
[-] SubArcticTundra@lemmy.ml 28 points 1 year ago

I don't think that's necessarily bad. You upvote to indicate your approval of something. Usually people approve things to recommend it to others.

load more comments (3 replies)
[-] mtnwolf@lemmy.world 27 points 1 year ago* (last edited 1 year ago)

The things I upvote and downvote are in line with my personal values and I am not ashamed of that. I have no issues with anyone knowing my reaction to a post. On Discord anyone can see who leaves reactions on a message. Same with Facebook. It will show you who added what reaction.

[-] Cosmiques@lemmy.world 30 points 1 year ago

The things I upvote and downvote are in line with my personal values and I am not ashamed of that.

Sounds an awfull lot like I have nothing to hide therefore I don't need privacy. The goal of crypto etc is to design protocols that allow you not having to trust anyone. I don't want to trust anyone, and I don't.

load more comments (2 replies)
load more comments (12 replies)
load more comments
view more: ‹ prev next ›
this post was submitted on 04 Jul 2023
3310 points (96.0% liked)

You Should Know

32162 readers
27 users here now

YSK - for all the things that can make your life easier!

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)

Rule 1- All posts must begin with YSK.

All posts must begin with YSK. If you're a Mastodon user, then include YSK after @youshouldknow. This is a community to share tips and tricks that will help you improve your life.

Rule 2- Your post body text must include the reason "Why" YSK:

**In your post's text body, you must include the reason "Why" YSK: It’s helpful for readability, and informs readers about the importance of the content. **

Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.

Rule 4- No self promotion or upvote-farming of any kind.

That's it.

Rule 5- No baiting or sealioning or promoting an agenda.

Posts and comments which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.

Rule 6- Regarding non-YSK posts.

Provided it is about the community itself, you may post non-YSK posts using the [META] tag on your post title.

Rule 7- You can't harass or disturb other members.

If you harass or discriminate against any individual member, you will be removed.

If you are a member, sympathizer or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people and you were provably vocal about your hate, then you will be banned on sight.

For further explanation, clarification and feedback about this rule, you may follow this link.

Rule 8- All comments should try to stay relevant to their parent content.

Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.

Rule 10- The majority of bots aren't allowed to participate here.

Unless included in our Whitelist for Bots, your bot will not be allowed to participate in this community. To have your bot whitelisted, please contact the moderators for a short review.

Partnered Communities:

You can view our partnered communities list by following this link. To partner with our community and be included, you are free to message the moderators or comment on a pinned post.

Community Moderation

For inquiry on becoming a moderator of this community, you may comment on the pinned post of the time, or simply shoot a message to the current moderators.

Credits

Our icon(masterpiece) was made by @clen15!

founded 1 year ago
MODERATORS
_MoveSwiftly@lemmy.world
Thekingoflorda@lemmy.world
ja2@lemmy.world
Rooki@lemmy.world
Boozilla@lemmy.world